What is a secure way to store and access private S3 objects from mobile applications?

Question

I want to create a mobile application where users can upload files and share/view them with other user who are in the same user group. The uploaded files should be stored in Amazon's S3. As I am new to AWS, I wonder what the best way is to handle storage and security. Sorry for this rather generic questions.

There will be a webservice running on EC2 in between the mobile apps and S3, which should handle the user group management, login, etc.

Concerning storage, would you recommend creating a bucket for each user group (expecting a very high number ob groups) or would you put all objects of all user groups in one bucket?

Depending on the above, how would you deal with authorization, where every user in the same group should be able to upload and retrieve files of his user group? How should I enable the mobile application of each user to download the files he or she is authorized to see, what's required for this?

The webservice should take care of all this, handling authorizations, creating buckets and user groups, but how should the security/authorization architecture look like?

Thanks for any hints. The AWS documentation is huge and I don't know where to start, but happy to read through material if you can point me to.

Answer 1

I think the best way to go ahead would be to think S3 as a simple system.

Let all your authentications / access etc stay in the business logic that will run on your EC2.

Store the object names (a.k.a file names) of the S3 objects pertaining to the user in the database (RDS)

Now, once you have a request to show a file to the user you could do one of the following:

1. Retrieve the file from S3 and send it to the user.

OR

1. Create a temporary access signed URL and push that to the user.

BR, Sanket